Feb. 4, 2008 ― Among the member states of the European Union, protection of an individual’s personal data is a fundamental right. U.S. law and policy, by contrast, focuses on data privacy, regulated on a sector-by-sector basis.

The contrasts between these approaches and attempts at harmonization in a high-tech world of transnational commerce, crime, and terrorism were examined during a conference at Duke Law School on Jan. 28. “Data Privacy in Transatlantic Perspective: Conflict or Cooperation?” brought together American and European policymakers, business leaders, and scholars to discuss such challenges as designing comprehensive privacy laws and policies, meeting multiple ― often conflicting ― data privacy standards, and coping with international terrorism. Duke’s Center for European Studies and the Center for International and Comparative Law co-sponsored the conference, which was chaired by Professor Francesca Bignami.

The U.S. approach: notice and consent
U.S. law and policy directed at consumer privacy is based on a system of notice and consent, explained Howard Beales, a professor of law at George Washington University. The practice of giving consumers notice of an organization’s privacy policies and the choice to accept or reject them is central to the Federal Trade Commission’s (FTC) oversight of unfair and deceptive commercial practices. The FTC can take action against companies that fail to comply with their own privacy policies or misuse personal information, said Beales, a former director of the FTC Bureau of Consumer Protection.

The effectiveness of that approach was questioned by a number of panelists, however. Consumer comprehension of privacy notices is extremely low, said Annie Anton, a professor of software engineering at North Carolina State University who studies the effectiveness of cybersecurity policies. The notices, too, rarely give consumers the information they seek, she added. “[They] want to see information… that states things about information transfer, notice, and storage,” while most privacy documents emphasize data integrity and security, data collection, and user choice and consent.

Fred Cate, director of the Center for Applied Cybersecurity Research and a professor at Indiana University School of Law, called choice “intellectually dishonest,” as consumers are essentially forced to accept most privacy policies. “When you download software, for example, you are asked if you accept the privacy policies, but can’t proceed unless you click on ‘yes,’” he said. Exemptions in privacy laws, too, allow non-consensual transfer of personal data for such purposes as law enforcement and credit reporting, he said, suggesting that the U.S. should abandon its separate regulation between the public and private spheres.

“That wall doesn’t exist in the data world ― data moves freely between the two,” he said. “We need to be thinking not just about substantive protections in the commercial environment, but in the government environment as well: government access to individual data, government access to private sector data about individuals, the compulsory disclosure of data for where there is no apparent use for it, our retention of data without limits. These are the issues on which we should focus substantive guidelines.”

The European view: data protection as fundamental right
Article 8 of the Charter of Fundamental Rights of the European Union establishes an individual’s rights regarding the collection, transmission, retention, and deletion of his or her personal data. It includes the right of an individual to have that data “rectified,” with data protection overseen by an independent authority, and applies to public and private sectors alike. A key EU directive on data protection bars transfers of personal data to non-EU countries unless they provide “adequate” privacy protections.

Harmonization between the U.S. and European approaches has proven particularly challenging in the national security context since the Sept. 11 terrorist attacks, a situation well-illustrated by the prolonged negotiations to reach an agreement on passenger name records, said Professor Bignami. Faced with U.S. demands for airlines to give the Department of Homeland Security access to such information as passenger passport and credit card numbers, and even hotel reservations within the United States, the European Commission protested, arguing the demands violated its data protection requirements. A final agreement deemed “adequate” by European standards ― though on which they compromised considerably, according to Bignami ― was reached in July 2007, almost five years after the issue arose.

Although the passenger name records controversy has led to the creation of a high-level contact group of U.S. and EU officials in order to facilitate better approaches to government-to-government information-sharing, similar disputes are likely to arise again, observed Bignami. The United States is unlikely ever to elevate data protection to the level of fundamental right, she said because it would require a reinterpretation of the Fourth and 14th Amendments. Still, the European panelists uniformly voiced their commitment to that level of protection, arguing that it serves the interests of justice and national security as much as it does consumers.

“Public security can only be provided in the name of the law and [by] upholding the rule of law,” said Thomas Zerkick, administrator of the European Commission’s Directorate-General for Justice, Liberties and Security. “[That] means protecting and upholding human and fundamental rights … against undue interference of public authorities.

“Respect for fundamental rights is a precondition for the fight against crime,” he went on. “Only [then] will you be sure that the criminal justice system works. You’ll be sure that you can use evidence in court. You will get criminals convicted and you will get sentences that are not going to be annulled because of lack of respect for fundamental rights. And ultimately, only if you respect those guarantees will your partners in the global fight trust you and be willing to cooperate with you.”The search for harmonization
In the commercial context, the United States and the European Union have developed the “Safe Harbor” privacy framework in order to facilitate compliance with the European Union’s requirement of “adequate” privacy protections for the transatlantic transfer of personal data. Adherence to the Safe Harbor principles is entirely voluntary, but once a company signs on to the program, the FTC gains enforcement authority, including the right to investigate complaints. Companies are joining the accord as they engage in e-discovery and as their customers demand compliance in order to complete global transactions, said Damon Greer, who directs the Safe Harbor program for the U.S. Department of Commerce. Sectors exempt from Safe Harbor include financial services, telecommunications, common carriers, insurance companies, or non-profit institutions.

Even with Safe Harbor and other international accords, global data flows pose a challenge for transnational commerce, and companies operating internationally have to negotiate multiple, occasionally conflicting, data privacy standards. Those standards are changing as well; at least one high-level European data protection official would even like to have unique “internet protocol” addresses (IPs) designated personal information.

“We have to figure out ways to design-in processes, so that when we identify personal data, we know how to handle it appropriately,” said David Hoffman ’93, group counsel and director of Privacy and Security Policy for Intel. “We have done a lot of work collectively as a privacy area of study as to what the principles are. We have the obligation to design systems that apply those principles. [Internet service providers] could design their system to make their IPs more dynamic. People who are collecting the data can choose not to relate [it] for other purposes. It’s understanding what the uses of the technology or the services are and trying to design [systems] with a maximum of privacy protection up front.”

The conference coincided with the observation of the inaugural Data Privacy Day in the United States, coordinated by Leonardo Cervera Navas, currently an EU Fellow at Duke University.

“Data Privacy in Transatlantic Perspective: Conflict or Cooperation?” is available for viewing as a webcast.